Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 27 Jan 2002 20:30:26 +0000
From:      Nik Clayton <nik@freebsd.org>
To:        Paul David Fardy <pdf@morgan.ucs.mun.ca>
Cc:        Nik Clayton <nik@FreeBSD.ORG>, Patrick Greenwell <patrick@stealthgeeks.net>, stable@FreeBSD.ORG
Subject:   Re: Firewall config non-intuitiveness
Message-ID:  <20020127203026.B40565@clan.nothing-going-on.org>
In-Reply-To: <200201251647.g0PGlt76013243@plato.ucs.mun.ca>; from pdf@morgan.ucs.mun.ca on Fri, Jan 25, 2002 at 04:51:33PM %2B0000
References:  <200201251647.g0PGlt76013243@plato.ucs.mun.ca>
next in thread | previous in thread | raw e-mail | index | archive | help 

--z6Eq5LdranGa6ru8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jan 25, 2002 at 04:51:33PM +0000, Paul David Fardy wrote:
> Nik Clayton <nik@FreeBSD.ORG> wrote:
> >> I've got a hunch this needs to be a tri-state variable.
> >>
> >>    YES -- Load the firewall rules
> >>    NO  -- Do nothing, default policy is compiled in to the kernel
> >>    OFF -- Explicitly set net.inet.ip.fw.enable=3D0
> >>
> >> or similar.
>=20
> Is there a precedent for such tri-state variables in the conf files?

Dunno.  And breaking it out in to multiple variables might be better.

> Would it not be better to have a second "enable" variable?
>=20
>  firewall_enable=3D"NO"         # Set to YES to enable firewall functiona=
lity
> 						# Set to DEFAULT to defer to kernel
>  firewall_script=3D"/etc/rc.firewall" # Which script to run to set up the=
 firewall
>  firewall_script_enable=3D"YES" # Run ${firewall_script} (or NO)

Why not ditch firewall_enable in new installs (or make it a synonym for
firewall_script_enable, which would be more accurate), and teach ipfw
how to kldload ipfw.ko if it's not already running?

N
--=20
FreeBSD: The Power to Serve      http://www.freebsd.org/               (__)
FreeBSD Documentation Project    http://www.freebsd.org/docproj/    \\\'',)
                                                                      \/  \=
 ^
   --- 15B8 3FFC DDB4 34B0 AA5F  94B7 93A8 0764 2C37 E375 ---         .\._/=
_)

--z6Eq5LdranGa6ru8
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org

iEYEARECAAYFAjxUY2IACgkQk6gHZCw343VHRACePLfDPrQrNk0LWDph6qu6I1RT
VekAniC1XyYeruU+73jbcapZMNfaMxKN
=FvYd
-----END PGP SIGNATURE-----

--z6Eq5LdranGa6ru8--

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020127203026.B40565>